Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-01-22 17:10:00

patrick
Contributor
Registered: 2019-01-14
Posts: 8

t5577 card not working

Hello,

I just received my proxmark RDV4 from Hackerwarehouse with 2 cards one t5577 card and the other GEN1A card from ProxGrind.
I cloned my em410 tag to the card t5577 which it worked perfectly, but when I try the card t5577 from proxgrind on the door reader of the building it doesn't work.  The only thing that is different is the buffer samples.
Any help please? how can i copy also the buffer sample to be the same as the original fob.

Thank you

Steps:

1. EM410 fob:

pm3 --> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
EM410x  pattern found          

EM TAG ID      : 12B003B841          

Possible de-scramble patterns          
Unique TAG ID  : 480DC01D82          
HoneyWell IdentKey {          
DEZ 8          : 00243777          
DEZ 10         : 2953033793          
DEZ 5.5        : 45059.47169          
DEZ 3.5A       : 018.47169          
DEZ 3.5B       : 176.47169          
DEZ 3.5C       : 003.47169          
DEZ 14/IK2     : 00080262445121          
DEZ 15/IK3     : 000309468339586          
DEZ 20/ZK      : 04080013120001130802          
}
Other          : 47169_003_00243777          
Pattern Paxton : 303560257 [0x1217F641]          
Pattern 1      : 684864 [0xA7340]          
Pattern Sebury : 47169 3 243777  [0xB841 0x3 0x3B841]          
          
[+] Valid EM410x ID Found!
          
pm3 --> lf read
#db# LF Sampling config          
#db#   [q] divisor.............95 (125 KHz)          
#db#   [b] bps.................8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........Yes          
#db#   [t] trigger threshold...0          
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample          
#db# buffer samples: 2a 2f 35 3a 3e 43 67 85 ...          
Reading 39999 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1 

2. t5577 after cloning (proxgrind cards):

  lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
EM410x  pattern found          

EM TAG ID      : 12B003B841          

Possible de-scramble patterns          
Unique TAG ID  : 480DC01D82          
HoneyWell IdentKey {          
DEZ 8          : 00243777          
DEZ 10         : 2953033793          
DEZ 5.5        : 45059.47169          
DEZ 3.5A       : 018.47169          
DEZ 3.5B       : 176.47169          
DEZ 3.5C       : 003.47169          
DEZ 14/IK2     : 00080262445121          
DEZ 15/IK3     : 000309468339586          
DEZ 20/ZK      : 04080013120001130802          
}
Other          : 47169_003_00243777          
Pattern Paxton : 303560257 [0x1217F641]          
Pattern 1      : 684864 [0xA7340]          
Pattern Sebury : 47169 3 243777  [0xB841 0x3 0x3B841]          
          
[+] Valid EM410x ID Found!
          
pm3 --> lf read
#db# LF Sampling config          
#db#   [q] divisor.............95 (125 KHz)          
#db#   [b] bps.................8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........Yes          
#db#   [t] trigger threshold...0          
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample          
#db# buffer samples: ff ff ff ff ff ff ff ff ...          
Reading 39999 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1 

3. I configured the device for the t55xx card:

 pm3 -->   lf t55xx deviceconfig a 29 b 17 c 15 d 47 e 15 p
#db# LF T55XX config          
#db#   [a] startgap............29*8 (232)          
#db#   [b] writegap............17*8 (136)          
#db#   [c] write_0.............15*8 (120)          
#db#   [d] write_1.............47*8 (376)          
#db#   [e] readgap.............15*8 (120) 

P.S: I tried to wipe out the card and write it again but it didn't work after configuring the device.

4. Wiping t5577 card:

 pm3 --> lf t55xx wipe 

Beginning Wipe of a T55xx tag (assuming the tag is not password protected)
          
Writing page 0  block: 00  data: 0x000880E0 pwd: 0x00000000          
Writing page 0  block: 01  data: 0x00000000           
Writing page 0  block: 02  data: 0x00000000           
Writing page 0  block: 03  data: 0x00000000           
Writing page 0  block: 04  data: 0x00000000           
Writing page 0  block: 05  data: 0x00000000           
Writing page 0  block: 06  data: 0x00000000           
Writing page 0  block: 07  data: 0x00000000           
pm3 --> lf t55xx wipe i

Beginning Wipe of a T55xx tag (assuming the tag is not password protected)
          
Writing page 0  block: 00  data: 0x000880E0 pwd: 0x00000000          
Writing page 0  block: 01  data: 0x00000000           
Writing page 0  block: 02  data: 0x00000000           
Writing page 0  block: 03  data: 0x00000000           
Writing page 0  block: 04  data: 0x00000000           
Writing page 0  block: 05  data: 0x00000000           
Writing page 0  block: 06  data: 0x00000000           
Writing page 0  block: 07  data: 0x00000000           
pm3 --> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
EM410x  pattern found          

EM TAG ID      : 12B003B841          

Possible de-scramble patterns          
Unique TAG ID  : 480DC01D82          
HoneyWell IdentKey {          
DEZ 8          : 00243777          
DEZ 10         : 2953033793          
DEZ 5.5        : 45059.47169          
DEZ 3.5A       : 018.47169          
DEZ 3.5B       : 176.47169          
DEZ 3.5C       : 003.47169          
DEZ 14/IK2     : 00080262445121          
DEZ 15/IK3     : 000309468339586          
DEZ 20/ZK      : 04080013120001130802          
}
Other          : 47169_003_00243777          
Pattern Paxton : 303560257 [0x1217F641]          
Pattern 1      : 684864 [0xA7340]          
Pattern Sebury : 47169 3 243777  [0xB841 0x3 0x3B841]          
          
[+] Valid EM410x ID Found! 

.

5. dumping the t5577 card:

 pm3 --> lf t55xx config
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 0 - RF/8          
Inverted   : No          
Offset     : 0          
Seq. Term. : No          
Block0     : 0x00000000          
          
pm3 --> lf t55xx dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | FF0F0F0F | 11111111000011110000111100001111 | ....          
 01 | FF0F0F0F | 11111111000011110000111100001111 | ....          
 02 | 00F0F0F0 | 00000000111100001111000011110000 | ....          
 03 | 0F0F0F0F | 00001111000011110000111100001111 | ....          
 04 | 00F0F0F0 | 00000000111100001111000011110000 | ....          
 05 | 07878787 | 00000111100001111000011110000111 | ....          
 06 | 00F0F0F0 | 00000000111100001111000011110000 | ....          
 07 | FF0F0F0F | 11111111000011110000111100001111 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 00F0F00F | 00000000111100001111000000001111 | ....          
 01 | 0F0F0F0F | 00001111000011110000111100001111 | ....          
 02 | 00F0F0F0 | 00000000111100001111000011110000 | ....          
 03 | 0F0F0F0F | 00001111000011110000111100001111 | ....  

6. Device version:

 pm3 --> hw ver

Proxmark3 RFID instrument
          

 [ CLIENT ]          
 client: iceman build for RDV40 with flashmem; smartcard;  
          
 [ ARM ]
 bootrom: iceman/master/13ed4f4 2019-01-14 12:53:36
      os: iceman/master/13ed4f4 2019-01-14 12:53:38

 [ FPGA ]
 LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev A          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 248101 bytes (47%) Free: 276187 bytes (53%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory 

7. Device status

 pm3 --> hw stat
#db# Memory          
#db#   BIGBUF_SIZE.............40000          
#db#   Available memory........40000          
#db# Tracing          
#db#   tracing ................1          
#db#   traceLen ...............0          
#db# Currently loaded FPGA image          
#db#   mode.................... LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51          
#db# Flash memory          
#db#   Baudrate................24MHz          
#db#   Init....................OK          
#db#   Memory size.............2 mbits / 256kb          
#db#   Unique ID...............0xd567a882a7a0c825          
#db# Smart card module (ISO 7816)          
#db#   version.................v3.10          
#db# LF Sampling config          
#db#   [q] divisor.............95 (125 KHz)          
#db#   [b] bps.................8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........Yes          
#db#   [t] trigger threshold...0          
#db# LF T55XX config          
#db#   [a] startgap............29*8 (232)          
#db#   [b] writegap............17*8 (136)          
#db#   [c] write_0.............15*8 (120)          
#db#   [d] write_1.............47*8 (376)          
#db#   [e] readgap.............15*8 (120)          
#db# USB Speed          
#db#   Sending USB packets to client...          
Status command failed. USB Speed Test timed out          
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!          
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!          
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!          
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!          
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!          
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!          
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!          
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!          
#db#   Time elapsed............1500ms          
#db#   Bytes transferred.......1367552          
#db#   USB Transfer Speed PM3 -> Client = 911701 Bytes/s          
#db# Various          
#db#   MF_DBGLEVEL.............1          
#db#   ToSendMax...............-1          
#db#   ToSendBit...............0          
#db#   ToSend BUFFERSIZE.......2308          
#db# Installed StandAlone Mode          
#db#    LF HID26 standalone - aka SamyRun (Samy Kamkar) 

Last edited by patrick (2019-01-23 17:25:26)

Offline

#2 2019-02-20 20:28:30

patrick
Contributor
Registered: 2019-01-14
Posts: 8

Re: t5577 card not working

can anyone explain the buffer sample please?

Offline

#3 2019-02-20 21:00:11

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: t5577 card not working

i can't see a  lf t55 detect   before wiping or dumping ...

Online

#4 2019-02-20 22:32:58

patrick
Contributor
Registered: 2019-01-14
Posts: 8

Re: t5577 card not working

Hey Iceman when I do lf t55 detect it gives me:

 [!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

.

But right now it's not working anymore:

pm3 --> lf t55xx deviceconfig a 29 b 17 c 15 d 47 e 15 p
#db# LF T55XX config          
#db#   [a] startgap............29*8 (232)          
#db#   [b] writegap............17*8 (136)          
#db#   [c] write_0.............15*8 (120)          
#db#   [d] write_1.............47*8 (376)          
#db#   [e] readgap.............15*8 (120) 

trying the t55xx proxgrind card

pm3 --> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
          
[-] No known 125/134 KHz tags Found!
          
          
[=] Checking for Unknown tags:
          
[-] no repeating pattern found          
[=] Possible Auto Correlation of 20480 repeating samples          
[=] Possible 2560 bytes          
FSK1a decoded bitstream:          
1100101010101011
0011001011010101
0011000000000000
0000000000000000
0000000011101010
1010101011001010
1010101010101011
0100101010101010
1100101010101011
0011001011010101
0011000000000000
0000000000000000
0000000011101010
1010101011001010
1010101010101011
0100101010101010
1100101010101011
0011001011010101
0011000000000000
0000000000000000
0000000011101010
1010101011001010
1010101010101011
0100101010101010
1100101010101011
0011001011010101
0011000000000000
0000000000000000
0000000011101010
1010101011001010
10          

Unknown FSK Modulated Tag Found! 

Changing the configuration:

 pm3 --> lf t55xx config d FSK
Chip Type  : T55x7          
Modulation : FSK          
Bit Rate   : 0 - RF/8          
Inverted   : Yes          
Offset     : 0          
Seq. Term. : No          
Block0     : 0x00000000

Try to copy the fob tag

  lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
EM410x  pattern found          

EM TAG ID      : 12B003B841          

Possible de-scramble patterns          
Unique TAG ID  : 480DC01D82          
HoneyWell IdentKey {          
DEZ 8          : 00243777          
DEZ 10         : 2953033793          
DEZ 5.5        : 45059.47169          
DEZ 3.5A       : 018.47169          
DEZ 3.5B       : 176.47169          
DEZ 3.5C       : 003.47169          
DEZ 14/IK2     : 00080262445121          
DEZ 15/IK3     : 000309468339586          
DEZ 20/ZK      : 04080013120001130802          
}
Other          : 47169_003_00243777          
Pattern Paxton : 303560257 [0x1217F641]          
Pattern 1      : 684864 [0xA7340]          
Pattern Sebury : 47169 3 243777  [0xB841 0x3 0x3B841]          
          
[+] Valid EM410x ID Found!
          
pm3 --> lf read
#db# LF Sampling config          
#db#   [q] divisor.............95 (125 KHz)          
#db#   [b] bps.................8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........Yes          
#db#   [t] trigger threshold...0          
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample          
#db# buffer samples: 00 00 03 0a 4f 82 ab c9 ...          
Reading 39999 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
pm3 --> lf em 410x_write 12B003B841 1
Writing T55x7 tag with UID 0x12b003b841 (clock rate: 64)          
#db# Started writing T55x7 tag ...          
#db# Clock rate: 64          
#db# Tag T55x7 written with 0xff8cb7000d78a47a 

But the issue persists:

 pm3 --> lf search 
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
          
[-] No known 125/134 KHz tags Found! 

Do you think that the card is damaged and need to be replaced or do I need to use the official repo from GitHub instead of the RRG repo?

Thank you in advance for your help.

Last edited by patrick (2019-02-20 22:33:57)

Offline

#5 2019-02-20 22:44:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: t5577 card not working

There is a lot of wrongs here.

First, you seem to be confused about t55xx config and t55xx deviceconfig.
Second,  when reading a t55xx tag, where you set FSK and a wrong bitrate in order to read a em410x will be problematic.

So before I would even think about saying "damaged card" or swapping repo I would consider trying to understand what I am trying do to and maybe even read a datasheet or two...

Online

#6 2019-02-28 05:26:46

patrick
Contributor
Registered: 2019-01-14
Posts: 8

Re: t5577 card not working

I still couldn't find any explanation about the buffer samples. Can you please guide me through or enlighten me with your knowledge.

Thank you

Offline

Board footer

Powered by FluxBB